How to Secure a Stand-Alone Computer

A stand-alone computer is one that is in no way connected to another computer or networked device, such as a switch, hub, or router (with the possible exception of a direct-attached printer), or to the Internet or a local area network (LAN). The stand-alone computer should run a vendor-supported (i.e., currently being patched) operating system, such as a current version of Windows workstation or server, Linux, or Macintosh OS X. Because the stand-alone computer is not connected to the Internet or a local or wide area network, the emphasis for securing the data is placed on physical security of the computer and controlling access to the data.

Here are the minimum steps you should take to secure your sensitive data on your stand-alone computer:

Physical Security of a Stand-Alone Computer

Configure the BIOS to boot the computer from the hard drive only. Do not allow the stand-alone computer to be booted from the diskette or CD-ROM drive.

Password protect the BIOS so changes cannot be made to the BIOS without authorization.

Secure the computer on which your sensitive data resides in a locked room, or secure the computer to a table with a lock and cable (locking the case so the battery cannot be disconnected, which would disable the BIOS password) or both.

Remove or disable the network interface card (NIC) so it cannot be used.

Controlling Access to the Data

Restrict access to your sensitive data to project personnel using the security features available via the operating system (e.g., login via userid/password and NTFS permissions in Windows, ACLs in Linux and OS X).

To verify passwords are strong, get permission from your Dean, Department Head or Director (or the equivalent in your company), and audit your passwords with L0PHTCRACK.

Password protect screen saver and activate after 10-15 minutes of inactivity (if using a password of fewer than 16 characters, set your password-protected screen saver to activate after 3 minutes of keyboard or mouse inactivity). Since the screen saver will not activate for 3-15 minutes, it is recommended that you lock your screen (Windows = Windows Key + L) whenever you walk away from your computer, even for a few minutes.

Install and periodically run a secure erasure program. This program should be run monthly and after the secure data has been removed from the computer at the end of the contract period. (e.g., Eraser works well.)

Do not copy or move the sensitive data out of the secured directory for any reason.